Installing SSL Certificates

Aspera strongly recommends installing valid, signed SSL certificates on your HST Server. The SSL certificates are uasperanoded and asperahttpd.

Requirements:

  • A signed root certificate or certificate bundle (root certificate with chained or intermediary certificates) from an authorized Certificate Authority. For instructions on generating an SSL certificate, see Setting up SSL for your Nodes.
  • The certificate is in .pem format. Other formats are not supported.

Procedure Overview:

The procedure modifies or creates three files:

aspera_server_key.pem
  • Created automatically during transfer server installation.
  • Found in the default Aspera installation directory: /opt/aspera/etc
  • Contains the default private key.
  • In this procedure, you replace the default private key with the new private key generated with the certificate signing request (CSR).
aspera_server_cert.pem
  • Created automatically during transfer server installation.
  • Found in the default Aspera installation directory: /opt/aspera/etc
  • Contains the default self-signed certificate.
  • In this procedure, you replace the default self-signed certificate with the content described in step 3.
aspera_server_cert.chain
  • You create this file, as described below.
  • You place the file in the same directory as aspera_server_key.pem and aspera_server_cert.pem.
  • You place the certificate bundle (chained or intermediary certificates) from the CA in this file.

Changing Filenames and Locations:

If desired, the default filenames and locations of the certificate files and chain files can be changed by configuring settings in the transfer server's aspera.conf file, using asconfigurator commands:

# asconfigurator -x "set_http_server_data;cert_file,path/certfile.pem"
# asconfigurator -x "set_http_server_data;key_file,path/keyfile.pem"
# asconfigurator -x "set_server_data;cert_file,path/certfile.pem"
Note: The chain file for asperanoded must match the location and name of the asperanoded certificate file, but with the .chain extension.

The commands add the following text to aspera.conf:

<http_server>
    ...
    <key_file>path/keyfile.pem</key_file>     <!-- key file for asperahttpd -->
    <cert_file>path/certfile.pem</cert_file>  <!-- cert file for asperahttpd -->
    ...
</http_server>

<server>
    ...
    <cert_file>path/certfile.pem</cert_file>  <!-- cert file for asperanoded -->
    ...
</server>

Installing the SSL Certificates:

  1. Back up the default private key and self-signed certificate, using the following commands: 
    # cd /opt/aspera/etc
# cp aspera_server_key.pem aspera_server_key.pem.bak
# cp aspera_server_cert.pem aspera_server_cert.pem.bak
  2. Open aspera_server_key.pem and replace the existing content with the new private key generated with the certificate signing request (CSR). Save and close the file.
  3. In aspera_server_cert.pem, replace the existing content with the following, in the order shown:
    1. the new private key
    2. the server certificate
    3. any chained or intermediary certificates from the CA in order of ascending authority, for example:

      intermediary certificate 1
      intermediary certificate 2
      intermediary certificate 3

    4. the root certificate from the CA

    Save and close the file.

  4. Create a new file named aspera_server_cert.chain. This file must reside in the same directory as the .pem files.
    If you have a certificates bundle from the CA, the contents of aspera_server_cert.chain must consist of the following, in the order shown:
    1. the server certificate
    2. the certificates bundle, which includes the root certificate

    If you do not have a certificates bundle from the CA, the contents of aspera_server_cert.chain must consist of the following, in the order shown:

    1. the server certificate
    2. any chained or intermediary certificates from the CA in order of ascending authority, for example:

      intermediary certificate 1
      intermediary certificate 2
      intermediary certificate 3

    3. the root certificate from the CA
  5. Restart asperacentral, asperanoded, and asperahttpd: 
    # service asperacentral restart
# service asperahttpd restart
# service asperanoded restart
  6. Verify the certificates by using OpenSSL.
    1. Test that you can connect to asperanoded by running the following command: 
      # /opt/aspera/bin/openssl s_client -connect myserver:9092
      This example assumes that you are using the default node port (HTTPS 9092). Replace myserver with the IP address or hostname of your server.

      The command returns 0 for success or 1 for failure.

      Output examples:

      Success: The following sample output shows that verification was successful because verify return is 0.

      depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - 
For authorized use only", CN = VeriSign Class 3Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0

      Failure: The following sample output shows that verification failed because verify return is 1.

      depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=21:unable to verify the first certificate
verify return:1
      Note: You must see as many elements in the output as there are certificates in the chain. In the following examples there is one root certificate and two chained certificates, so the output must show three elements to prove the installation was successful.

      Success: The following example shows a successful verification for one root certificate and two intermediary certificates in the chain:

      Certificate chain
 0 s:/C=US/ST=California/L=Emeryville/O=IBM/OU=Aspera Inc IT Department/CN=*.asperafiles.com
 i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

      Failure: The following example shows an unsuccessful verification, since only the root certificate is displayed.

      Certificate chain
 0 s:/C=US/ST=California/L=Emeryville/O=IBM/OU=Aspera Inc IT Department/CN=*.asperafiles.com
 i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
    2. If verification fails, inspect your certificate content by running the following command: 
      # /opt/aspera/bin/openssl x509 -in certificate.crt -text -noout